ZeroAccess/Sirefef infects up to 9 million PCs

The ZeroAccess rootkit, some know as Sirefef, has grown its command and control servers over the past year. Now, it has spanned all around the globe to infect up to 9 million PCs. It’s botnet started growing rapidly once it hit one million infections, and now has multiplied it by 9.

Like the new TDL4 variant, it can create its own hidden partition, which can be problematic for PC users, especially because it normally is unknown that a hidden partition exists. Tools like TDSSKiller, though, can see through its disguise. There are two total botnets, each for a 32-bit and 64-bit version (totaling 4 botnets), and usually distributed by exploits.

Fast facts:

The latest versions seem to have no kernel mode components, therefore they do not infect drivers like previously did. It instead uses usermode components and drops their own GUID (CLSID) in the following locations:

c:\windows\installer\{GUID STRING}

c:\users\<user>\AppData\Local\{GUID STRING}

C:\Windows\System32\config\systemprofile\AppData\Local\{GUID STRING}

C:\RECYCLER\S-x-x-x\${RANDOM STRING}

It also parks its own infections in these locations:

C:\Windows\assembly\GAC\Desktop.ini

If on x64: c:\windows\assembly\GAC_32\Desktop.ini AND c:\windows\assembly\GAC_64\Desktop.ini

Infects c:\windows\system32\services.exe

For the ports that it uses for each version of the botnet:

Port numbers 16464 and 16465 are used by one botnet for both 32 and 64 bit platforms.

Post numbers 16470 and 16471 are used by the other botnet for both platforms.